Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Simple site-to-site VPN

Greetings,

As part of the my learning phase, anyone here can help me out resolving to establish a simple site-to-site vpn tunnel.  I have two routers of the same model cisco 887 at the Headoffice and Branch office.  Though both the routers are having ADSL ports, i am not using it.  I have connected the on both the FE 0 to an ADSL router.  FE4 is connected to the internal LAN.  The IP details of the ADSL routers are as below.  I am able to reach/ping from ROUTER HO to the Public IP of ADSL Router at the Branch Office and vice versa.  However am not able to reach/ping the internal address of the ADSL router from any side.  The VPN tunnel status (sh crypto session sa) is down.  Appreciate if anyone could throw some light please in establishing a VPN tunnel successful.

ADSL Router at Head Office

Public IP: Y1.Y2.Y3.Y4

Internal Router IP:  10.0.0.100

ADSL Router at Branch Office

Public IP: X1.X2.X3.X4

Internal Router IP: 10.0.0.200

I have copied below the configuration on both the routers.

ROUTER HEAD OFFICE

Current configuration : 5808 bytes

!

! Last configuration change at 16:26:46 UTC Sun Feb 5 2012

! NVRAM config last updated at 16:27:11 UTC Sun Feb 5 2012

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname TEST-HO

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$bxBd$mGyzuH6QB7818ej8QYbZn.

!

no aaa new-model

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-4238154276

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4238154276

revocation-check none

rsakeypair TP-self-signed-4238154276

!

!

crypto pki certificate chain TP-self-signed-4238154276

certificate self-signed 01

  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34323338 31353432 3736301E 170D3132 30323033 32323334

  32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32333831

  35343237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B833 24137B92 9858650C C038D56A 5636004A D8270D80 488BE48C 20BCA950

  D4998CBB 2C78C05F 66E6CE60 4C2736FA 6E0EABB3 A9941A3A 202AD29B 91806AA5

  88D9C046 6F585D32 2F612228 0BA2516D 4E696051 54852A28 C38B8E8C B2CDF213

  076EDC61 2184BFB4 ED97A0A3 8DE2D896 C45B64E4 2E791A6B 73474097 394B1FDD

  849F0203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603

  551D1104 0D300B82 09535048 4E49582D 484F301F 0603551D 23041830 168014B1

  E72B0CFF 27616454 70DB6C25 3AA091A6 51607B30 1D060355 1D0E0416 0414B1E7

  2B0CFF27 61645470 DB6C253A A091A651 607B300D 06092A86 4886F70D 01010405

  00038181 007DAA86 0D64B25E 69514E13 197F7907 DBE779A0 8DC0499A 0C48FB68

  F3F589D3 DBFB3CCE 375C1CAA 0D708BF4 F634E42E CB11A641 EB8961A5 E92E5643

  CE85C094 A824ADD3 BF982760 F2FD6A2D A6A633E7 B651B2BB 8A02F304 D152943E

  710D0F98 D7A353B6 06CACC79 D777C5D9 2D216679 9DA48264 231BC71F 2921F44A

  92AB2F38 92

        quit

ip source-route

!

ip cef

no ip domain lookup

no ipv6 cef

!

license udi pid CISCO887-K9 sn FCZ154292H8

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 3600

crypto isakmp key 6 cisco address X1.X2.X3.X4

!

!

crypto ipsec transform-set BASESET esp-aes esp-sha-hmac

!

crypto map HO-LOC 10 ipsec-isakmp

set peer X1.X2.X3.X4

set transform-set BASESET

match address 101

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

crypto map HO-LOC

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.0.0.250 255.255.255.0

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface Vlan1 overload

ip route 0.0.0.0 0.0.0.0 10.0.0.100

!

ip access-list standard telnet

permit 192.168.10.100

permit 192.168.10.0 0.0.0.255

!

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 20 permit 192.168.10.100

access-list 20 permit 192.168.11.100

access-list 20 permit 10.0.0.101

access-list 20 permit 10.0.0.201

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

no cdp run

!

control-plane

!

!

line con 0

exec-timeout 0 0

password ciscocisco

login

no modem enable

line aux 0

line vty 0 4

access-class 20 in

privilege level 15

password ciscocisco

login

transport input telnet ssh

!

scheduler max-task-time 5000

end

ROUTER BRANCH OFFICE

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname TEST-BRANCH

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$TdJc$omfRbpgqI9BjgOOmYP9Vh0

!

no aaa new-model

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-1165403665

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1165403665

revocation-check none

rsakeypair TP-self-signed-1165403665

!

crypto pki certificate chain TP-self-signed-1165403665

certificate self-signed 01

  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31313635 34303336 3635301E 170D3132 30323035 31363039

  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363534

  30333636 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  81008EB7 4702747E 6602E217 D2AF8486 64BDD9CD 89988FAC 890F8299 EEC93686

  C83E4C30 4C73BC98 5FCC742C 3C6B82C4 32EAEC5E E9DABBCB 8E365E55 EA9740E5

  31319FDA 7845EDF1 D323A25F EFA21A24 6C5674C6 8B48283E 9965947F DD9BD6F0

  3EE50411 26814332 2267F4DA DAB6F7C3 01211FDF 032E1D54 DF1F0ACB EA0E456C

  2A230203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603

  551D1104 11300F82 0D535048 4E49582D 4D414D45 4552301F 0603551D 23041830

  16801454 B2E57D16 F044B827 72459D71 085FDF9C 3983E030 1D060355 1D0E0416

  041454B2 E57D16F0 44B82772 459D7108 5FDF9C39 83E0300D 06092A86 4886F70D

  01010405 00038181 005C1235 ADF50424 14EAAD27 D9E0C72D 561BA558 6F9076CD

  00303D68 F13CDCEC A6FAB819 CFFAEC8F 02F78441 D8865341 3F679902 82480F91

  A246DC86 B730FC20 987DFCB4 53427A6E 1B0FADA9 D60059DB F136A1B4 A23F1572

  1603D943 9A6D5BB7 8B68A416 EDF72E2A 2C92B058 988DE95A 9A4F81FD 3F37B01D

  327B73E3 2A6A1729 0B

        quit

ip source-route

!

ip cef

no ip domain lookup

no ipv6 cef

!

license udi pid CISCO887-K9 sn FCZ154292HD

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 3600

crypto isakmp key 6 cisco address Y1.Y2.Y3.Y4

!

crypto ipsec transform-set BASESET esp-aes esp-sha-hmac

!

crypto map HO-LOC 10 ipsec-isakmp

set peer Y1.Y2.Y3.Y4

set transform-set BASESET

match address 101

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

crypto map HO-LOC

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.0.0.251 255.255.255.0

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 192.168.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface Vlan1 overload

ip route 0.0.0.0 0.0.0.0 10.0.0.200

!

ip access-list standard telnet

permit 192.168.11.100

permit 192.168.11.0 0.0.0.255

!

access-list 1 permit 192.168.11.0 0.0.0.255

access-list 20 permit 192.168.10.100

access-list 20 permit 192.168.11.100

access-list 20 permit 10.1.0.100

access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

no cdp run

!

control-plane

!

line con 0

exec-timeout 0 0

password 7 014A5F5D7B080F1C2243

login

no modem enable

line aux 0

line vty 0 4

access-class 20 in

privilege level 15

password 7 025F5D022B0506324F41

login

transport input telnet ssh

!

scheduler max-task-time 5000

end

Cheers!!! 

Reizhi

2 REPLIES

Simple site-to-site VPN

Hello,

On thecrypto map you have selected as the crypto ACL:

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

Are you able to ping from 192.168.10.0 to 192.168.11.0 /24, because that is going to be the interesting traffic to be encrypted.

Also you do not have applied the crypto map to any interface, please do that as well.

Example:

Interface Vlan1

crypto map  HO-LOC

Let me know??

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Simple site-to-site VPN

Thank you Julio for your time.  I am not able to ping from the 192.168.19.0/24 to 192.168.11.0/24 and back.  When i ping i get the reply with TTL expired in transit. 

The sh crypto session command, gives me interface status shows DOWN.  Infact i have added the crypto map HO-LOC to interface Fast Ethernet 0, if you look at my earlier configuration.  However i have even tried the same being applied at vlan 1 as suggested and no luck

Head Office

PC(192.168.10.100)  ---- Cisco887 FE4(Vlan2 - 192.168.10.1) & FE0(Vlan1 - 10.0.0.250) ---- ADSL Router 10.0.0.100 & Y1.Y2.Y3.Y4

Branch Office

PC(192.168.11.100)  ---- Cisco887 FE4(Vlan2 - 192.168.11.1) & FE0(Vlan1 - 10.0.0.251) ---- ADSL Router 10.0.0.200 & X1.X2.X3.X4

So to give you an idea I am able to ping X1.X2.X3.X4 from 192.168.10.100  and also I am able to ping from 192.168.11.100 to Y1.Y2.Y3.Y4

I am missing some entries. 

515
Views
3
Helpful
2
Replies
CreatePlease to create content